2

I would like to update my hosts file and restart dnsmasq from a web interface (php/apache2). I tried playing around with suid bits (the demonstaration). I have both apache and dnsmasq running on an EC2 instance.

I understand that Linux ignores the setuid bit on text scripts, but works on binary files. (Have I got something wrong?). I added exec("whoami"); to the example C program in Wikipedia. Although the effective UID of the C program is 0, whoami does not return root :-(

I would thoroughly like to avoid

echo password | sudo service dnsmasq restart

or adding apache to the sudoers without password! Is there a way out? How does webmin do such things?

Lord Loh.
  • 1,049
  • 3
  • 15
  • 24
  • 1
    Out of curiosity, why are you against doing this via passwordless sudo? That's exactly the sort of thing sudo deals well with. – MadHatter Apr 09 '12 at 18:22
  • 1
    webmin runs as root `# ps -ef | grep webmin **root** 7241 1 0 Mar16 ? 00:01:24 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf` – Tom Apr 09 '12 at 18:44
  • in addition to the logic for using incron, is that using setuid triggers a bunch of IDS alerts from security compliance tools – Tom Apr 09 '12 at 18:47
  • @MadHatter - Would it be a security risk? Couldn't anyone get root access by ticking apache into executing `sudo bash`? – Lord Loh. Apr 09 '12 at 22:50
  • No. See my full answer below. – MadHatter Apr 10 '12 at 06:27

2 Answers2

4

I would take another approach and configure either an incron script which runs as as root, which monitors some file for changes and responds by applying your changes to the /etc/hosts file.

With the incron approach, you set an inotify entry to watch some file for changes, and respond by running a script;

/var/www/hosts IN_CLOSE_WRITE /run/this/as/root

So apache has permissions to write to /var/www/hosts using php or whatever and the /run/this/as/root script runs as root to apply the changes to the /etc/hosts file

Tom
  • 10,886
  • 5
  • 39
  • 62
  • Any idea if I can install it on an EC2 instance without compiling it from source ? – Lord Loh. Apr 09 '12 at 23:01
  • Well, I could not `sudo yum install `it. Had to compile and install it. Make put he binaries in wired places that did not exists and are not in the `PATH`! – Lord Loh. Apr 10 '12 at 06:47
  • I would be highly surprised if EC2 instances didn't support the inotify subsystem, but then again virualized instances can have some odd customizations to their kernels for performance etc. – Tom Apr 10 '12 at 09:11
  • I had incron working for a while. It restarted dnsmasq a few times on changing the hosts file - I could see the results in `ps aux` and the `/var/log/cron`, but after a while, it stopped responding to changes in the hosts file. incrond was still running (visible in `ps aux`) and requests to reload user tables (`incrontab -d`) did show up on the log. The only way to get `incrond` to respond again for a short while was to restart it :-( Any tips on getting around this? – Lord Loh. Apr 12 '12 at 04:45
2

I tend to address this by allowing the process that runs the server, in this case the webserver, to execute the relevant command, and only that command, via passwordless sudo.

For example, here's my sudoers entry to allow a user called NAGIOS (who runs my local monitoring server) to execute a plugin that checks that RAID hardware as root:

nagios  ALL=(root) NOPASSWD: /usr/lib/nagios/plugins/check_md_raid

You would have something similar, perhaps:

apache  ALL=(root) NOPASSWD: /sbin/service dnsmasq restart

To address your concerns above, this doesn't allow anyone who can subvert the apache process to run sudo bash, sudo shutdown -h now, or even sudo service dnsmasq stop. It only allows exactly what's specified in the sudoers file.

It's true that if the service command is badly written, and if someone can find a way to make running service dnsmasq stop as root via sudo change the mode on the passwd file, or start an allow-all sshd on port 22222, or indeed do anything nefarious, then you have a problem. But in such a case you have a problem however you run the service command as root, whether it's via sudo or any other mechanism. sudo does its best to sanitise the environment, and the service command is a stock part of most GNU/Linuxes (and has been for some time) and therefore probably has no obvious holes.

Running the service command via passwordless sudo is no less safe than any other method of running it, and probably more safe than many home-brewed or other less-well-tested ways.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Good idea. The thought of providing passwordless su access for just a single script had not occurred to me - lack of experience I recon. – Lord Loh. Apr 10 '12 at 06:49
  • 1
    You're welcome, and glad to help; that's why we're all here. But if I may make a small suggestion, consider this a learning experience in asking questions on SF: **don't constrain the solution**. No-one ever asks questions where she fully understands both problem and answer - why would she? So the fact that you're asking a question means you don't understand the optimum solution, and thus in laying down arbitrary constraints on the solution (eg "no sudo") you may well block solutions that work perfectly well for you, merely because you didn't know they existed. – MadHatter Apr 10 '12 at 07:13
  • I tried your solution. I wrote a script that had `sudo service dnsmasq restart` when I execute this script as `sudo -u apache restartScript`, it restarts the service fine. However, when I restart it from the browser, it does not work :-( running `whoami` returns `apache`, but the service restart fails :-( I wrote a C program that behaves the exact same way. What could be wrong? – Lord Loh. Apr 12 '12 at 04:41
  • More observation: using php `passthru ("ls -al");` works fine, but `sudo ls -al` does not return anything from that line. The rest of the script works fine. apache error log has the message `sudo: sorry, you must have a tty to run sudo` for each attempted sudo. – Lord Loh. Apr 12 '12 at 05:08
  • http://serverfault.com/a/111102/85585 is an answer I found that helps me get rid of the requiretty from sudoers on per user basis. And this restarted the service too! – Lord Loh. Apr 12 '12 at 05:28